.\" Manpage for dnstwist
.TH DNSTWIST 1 "December 2022" "" "User Commands"

.SH NAME
dnstwist - domain name permutation engine

.SH SYNOPSIS
.B dnstwist
.RI [ OPTION .\|.\|.]\&
.I DOMAIN
.

.SH DESCRIPTION
Find similar-looking domain names that adversaries can use to attack you. Detect typosquatters, phishing attacks, fraud and brand impersonation.

.SH COMMAND-LINE OPTIONS
.TP
\fB\-a\fR, \fB\-\-all\fR
Print all DNS records instead of the first ones.
.TP
\fB\-b\fR, \fB\-\-banners\fR
Determine HTTP and SMTP service banners.
.TP
\fB\-d\fR, \fB\-\-dictionary\fR \fIFILE\fR
Generate additional domains using a dictionary read from \fIFILE\fR.
.TP
\fB\-f\fR, \fB\-\-format\fR \fIFORMAT\fR
Select the output format. Supported values are: \fBcli\fR (default), \fBcsv\fR, \fBlist\fR, \fBjson\fR.
.TP
\fB\-\-fuzzers\fR \fILIST\fR
Use only selected fuzzing algorithms (separated with commas).
.TP
\fB\-g\fR, \fB\-\-geoip\fR
Perform lookup for GeoIP location.
.TP
\fB\-\-lsh\fR \fI[LSH]\fR
Evaluate web page similarity with LSH algorithm: \fBssdeep\fR (default), \fBtlsh\fR
.TP
\fB\-\-lsh-url\fR \fIURL\fR
Override \fIURL\fR to fetch the original web page from.
.TP
\fB\-h\fR, \fB\-\-help\fR
Display help message and exit.
.TP
\fB\-m\fR, \fB\-\-mxcheck\fR
Check if MX host can be used to intercept e-mails.
.TP
\fB\-o\fR, \fB\-\-output\fR \fIFILE\fR
Save output to \fIFILE\fR.
.TP
\fB\-r\fR, \fB\-\-registered\fR
Show only registered domain names.
.TP
\fB\-u\fR, \fB\-\-unregistered\fR
Show only unregistered domain names.
.TP
\fB\-p\fR, \fB\-\-phash\fR
Render web pages and compare their perceptual hashes to evaluate visual similarity.
.TP
\fB\-\-phash-url\fR \fIURL\fR
Override \fIURL\fR to render the original web page from.
.TP
\fB\-\-screenshots\fR \fIDIR\fR
Save web page screenshots into \fIDIR\fR.
.TP
\fB\-t\fR, \fB\-\-threads\fR \fINUM\fR
Start specified \fINUM\fR of threads.
.TP
\fB\-w\fR, \fB\-\-whois\fR
Lookup WHOIS database for creation date and registrar.
.TP
\fB\-\-nameservers\fR \fILIST\fR
DNS or DNS-over-HTTPS servers to query (comma-separated \fILIST\fR).
.TP
\fB\-\-tld\fR \fIFILE\fR
Generate additional domains by swapping TLD as read from \fIFILE\fR.
.TP
\fB\-\-useragent\fR \fISTRING\fR
Set User-Agent \fISTRING\fR (default: \fBMozilla/5.0 (platform arch) dnstwist/version\fR).

.SH NOTES
DNS fuzzing is an automated workflow for discovering potentially malicious domain names.

The tool will run the provided domain name through its fuzzing algorithms and generate a list of potential phishing domains along with DNS records.
Usually thousands of domain permutations are generated - especially for longer input domains. In such cases, it may be practical to display only registered (resolvable) ones using \fB\-\-registered\fR argument.

Ensure your local DNS server can handle thousands of requests within a short period of time. Otherwise, you can specify an external DNS or DNS-over-HTTPS server with \fB\-\-nameservers\fR argument.

.SS Fuzzy hashing
Manually checking each domain name in terms of serving a phishing site might be time-consuming. To address this, \fBdnstwist\fR makes use of so-called fuzzy hashes (locality-sensitive hash, LSH) and perceptual hashes (pHash). Fuzzy hashing is a concept that involves the ability to compare two inputs (HTML code) and determine a fundamental level of similarity, while perceptual hash is a fingerprint derived from visual features of an image (web browser screenshot). The level of similarity is expressed as a percentage.

Keep in mind it's rather unlikely to get 100% match for a dynamically generated web page. However, each notification is a strong indicator and should be inspected carefully regardless of the score.

.SS Dictionaries
If domain permutations generated by the fuzzing algorithms are insufficient, please use \fB\-\-dictionary\fR option with a file to generate more domain variants.
If you need to check whether domains with different TLDs exist, you can use \fB\-\-tld\fR argument.

.SS Coverage
Along with the length of the domain, the number of variants generated by the algorithms increases considerably, and therefore the time and resources needed to verify them. It's mathematically impossible to check all domain permutations - especially for longer input domains which would require millions of DNS lookups. For this reason, this tool generates and checks domains very close to the original one. Theoretically, these are the most attractive domains from the attacker's point of view. However, be aware that the imagination of the aggressors is unlimited.

Unicode tables consist of thousands of characters with many of them visually similar to each other. However, despite the fact certain characters are encodable using punycode, most TLD authorities will reject them during domain registration process. In general, TLD authorities disallow mixing of characters coming from different Unicode scripts or maintain their own sets of acceptable characters. With that being said, the homoglyph fuzzer was build on top of carefully researched range of Unicode characters (homoglyphs) to ensure that generated domains can be registered in practice.

.SH "AUTHOR"
.LP
Marcin Ulikowski <marcin@ulikowski.pl>
